As I have spent some time researching and developing a WP8 application security testing methodology and process, I have come up with three key security features that are missing from Microsoft’s Windows Phone 8. From an offensive security perspective, these feature are good to have for testing but from an end user perspective, they are much more important:

VPN Support

HTTP Proxy Authentication

Digital Certificate Management

VPN Support

When testing a mobile app, a tester often wants to see all of the apps traffic not just the HTTP traffic. This is generally done with a VPN connection using a tool like Mallory. Unfortunately, Windows Phone 8 does not support VPN. There is no where to configure a VPN connection! Thankfully there are other ways to see all of the Windows Phone 8 traffic and I will cover that in a future post.

HTTP Proxy Authentication

Windows Phone 8 allows you to configure HTTP and HTTPS traffic to go through a proxy but it does not allow you to authenticate to that proxy. As you can see below, proxy configuration is per Wi-Fi network but only allows configuring an IP and Port. There is no place to configure authentication:

Digital Certificate Management

Windows Phone 8 has no ability to manage digital certificates that have been installed on a device. In a previous post I explained how to install a certificate on a WP8. Unfortunately, there is no way to remove the certificate.

Conclusion

I identified all three of these missing security feature of Windows Phone 8 because I was testing WP8 apps. These features come standard in iOS and Android and it is strange they are not included in Windows Phone 8 by Microsoft. All three of these features have valid business uses to ensure security for the device, especially if it is owned by an organization and will be used on a corporate network.

By now you should be familiar with the WP8 app you are testing and need to see the type of traffic it is sending to transmit data to the Internet. This post will show you how to use an HTTP proxy, configure it on the WP8 device, and install a digital certificate to see HTTPS traffic as well. If you are using an emulator you have a couple more steps which will be explained in the last portion of this post. As per the OWASP mobile security testing methodology this will be part of the Dynamic Analysis.

HTTP Proxy

The first step will be to install an HTTP proxy on your computer. You will run the proxy from your computer and configure WP8 to send all traffic to it instead of directly to the Internet. This will allow you to see the traffic as well as modify it if you choose.

There are many HTTP proxies to choose from and everyone has his/her favorite. Since we mentioned OWASP in the previous post, we will use the OWASP Zed Attack Proxy (ZAP). Download and install it on your Windows 8 system where the Windows Phone SDK is installed. If you are using a physical device, you can use any system you have on the same local network as the WP8.

Do you know your computer’s IP address? This is needed to configure the proxy and your WP8. In Windows open a command prompt (start-cmd.exe) and type ipconfig:

Now run ZAP and accept the terms. On the top menu select Tools – Options. A new window will open, select local proxy from the left. On the Address field, put the IP Address of your system:

Click OK. You may get a message asking you to allow connection through the firewall. Click Accept. If you have any other firewall, you will need to allow connections on port 8080.

Configure WP8

You now need to configure WP8 to use the proxy. Go to Settings – System – WiFi. Select the Wireless network you are on. You should be in the Edit Network menu. Slide the Proxy button to On. Fill out the Server and Port that you configured for your proxy:

Test this by opening IE on WP8 and go to http://www.google.com/ You should see the HTTP request and response on ZAP:

To ensure all HTTP and HTTPS traffic is sent via WiFi and to your proxy, disable data on your mobile network: Settings – Mobile Network – Data Connection – Off. Or you can pull the SIM from the phone.

Also note, that WP8 does not allow you to authenticate to a proxy. This won’t be a problem in this scenario but it is basic functionality that Microsoft should really consider adding to WP8.

HTTPS

Try accessing an HTTPS page, for example https://www.google.com/ You should see the standard IE invalid digital certificate error. In IE, an end user can click “Continue to website (not recommended)” and you would see all the HTTPS traffic on your proxy. This is because the certificate being provided to the WP8 device is from your HTTP proxy. At this point, you should test your app and see if it sends traffic via HTTP or allows sending traffic via HTTPS to sites that have not successfully validated the digital certificate. The reason for this is that once you install the ZAP certificate, WP8 does not provide a way to delete it later on. So to test if an app disregards the digital certificate in the future, you will need to generate a new ZAP certificate on the proxy.

To avoid the invalid digital certificate errors and verify the WP8 app requires a validated certificate, you need to install the proxy’s certificate on the WP8 device. In ZAP, go to Tools – Options. This time click on Dynamic SSL Certificate on the left. The certificate should be there, if not click Generate and then Save.

You will now need to open the .cer file on your Windows Phone. There are many ways to do this:

Email it to yourself

Save it on SkyDrive and access it from IE (remember App Sandboxing won’t allow you to install the cert onto the device if it is opened with SkyDrive App)

Transfer it via USB

Host it on a web server and browse to it with IE

Once you open it, you should be prompted to install the certificate:

Once installed, navigate to a site using SSL: https://www.google.com/ Notice you did not get a certificate error and you can see the requests and responses in ZAP. Now use the app you are testing and see if you can see the HTTPS traffic.

Emulator

The Windows Phone 8 emulator is a Hyper-V virtual machine with it’s own IP address. This means the network traffic will route from the virtual machine (emulator) to your Windows 8 system running the SDK and then out to the Internet. The easiest way to configure the emulator to use a proxy is to configure the Windows 8 system’s IE proxy settings. Click on the Gear on the top left of IE and select Internet Options. Click the Connections tab and then LAN Settings. Check the box under Proxy Server: Use a proxy server for your LAN. In the Address field put your IP address and Port 8080 as configured in your HTTP Proxy (ZAP). You will need to restart the emulator every time you change the proxy settings on your host.

More Information Gathering

Now that you can see the HTTP and HTTPS traffic the WP8 app sends and receives, more information may be gathered on the application. Taken straight from the OWASP mobile security testing methodology under Information Gathering:

Can you determine anything about the server side application environment?

Hosting provider (AWS, App Engine, Heroku, Rackspace, Azure, etc.)

Development environment (Rails, Java, Django, ASP.NET, etc.)

Does the application leverage Single Sign On or Authentication APIs (Google Apps, Facebook, iTunes, OAuth, etc.)

Any other APIs in use

Payment gateways

SMS messaging

Social networks

Cloud file storage

Ad networks

Perform a thorough crawl of exposed web resources and sift through the requests and responses to identify potentially interesting data or behavior

Leaking sensitive information (i.e. credentials) in the response

Resources not exposed through the UI

Error messages

Cacheable information

Vulnerabilities

At this point you may have identified even more vulnerabilities. Here are some ideas as to what you may find after being able to see HTTP and HTTPS traffic:

Encryption not enforced – I prefer always enforcing HTTPS even for non-sensitive data. Most end users connect to any free/untrusted WiFi and modifying HTTP data is trivial. We will cover this in another post.

Sensitive information sent in clear text

Credentials sent over HTTP instead of HTTPS

Digital Certificate not validated

Does the app accept the invalid cert and send sensitive information?

No warning on invalid digital certificate

Basic Authentication used

No Mutual Authentication

Web Application Assessment

Knowing what URLs the WP8 app communicates with will allow you to perform traditional Web Application testing. Ensure the server side components are in scope and follow the usual testing methodology for assessing web apps. If your phone can access it, your browser probably can too!

Conclusion

You should not be able to see and modify HTTP and HTTPS request between the WP8 app and server side components. This visibility facilitates the continuation of information gathering as well as vulnerability identification and verification.

Information Gathering – describes the steps and things to consider when you are in the early stage reconnaissance and mapping phases of testing as well as determining the application’s magnitude of effort and scoping.

Dynamic Analysis – executing an application either on the device itself or within a simulator/emulator and interacting with the remote services with which the application communicates. This includes assessing the application’s local inter process communication surface, forensic analysis of the local file system, and assessing remote service dependencies.

The first phase of any vulnerability assessment or penetration test is understanding what you are testing. This step will prepare you for the future tests we will cover in this series. Learning how the application works will reveal what it “should” do so you can identify when it does something it “should not”. This step also helps identify attack vectors you will try to exploit.

Navigate through the application. This will expose you to the application as an end user would use it. Tap through all the different features, look at the settings, etc. This may be performed on the device or in the emulator as we covered in previous sections.

Identify the network interfaces used. Does the application require internet connectivity? If so, does it work through Wi-Fi only, SIM only? Does the application use bluetooth, NFC, a VPN?

Does the application take your input? Any sensitive information? Does it access any sensitive information?

What other components does the application interact with? Contact list, calendar, camera, location?

Do some reconnaissance. Has this app been talked about already? Search Google, app store reviews, etc.

It is a good idea to document all of this as you go, particularly any attack vectors you identify. For instance, you notice that sensitive information must be submitted and sent to a web server. It would be a good idea to write that down and test it during the dynamic analysis of network traffic to ensure the data is being transferred securely. Also, you will want to make sure the sensitive information is not being stored locally.

Vulnerabilities

During the information gathering phase you may already have some vulnerabilities in mind. Here are a few to consider:

No application pass code – does the app reveal sensitive information that requires authentication? Should it have it’s own pass code. This may be a consideration for apps storing company data while the devices are BYOD and don’t require a device pass code.

Weak pass code – does the app enforce good password policies?

Minimum of how many characters?

Complexity?

Password rotation?

Password lock out?

Sensitive information stored on disk – does the app request sensitive information from the end user and then store it? We will look at local storage later in this series.

Conclusion

In this step we covered using the application for the first time to gather as much information as possible. Good notes were taken so they may be used in the different phases of testing.

Side loading is the act of installing an application from your computer connected directly to your device. To do this in WP8 you must obtain the XAP file from the developer. Ensure this is in your contract as push back by developers to provide the XAP file is common. Note that the phone will only run apps signed with trusted certificates and your phone must be unlocked as explained in part one and two of this series respectively.

You may download a XAP file from the store if you want to follow along and do not have the developer provided XAP file. Search the Windows Phone store for the app you will be testing and select Download and install manually from the bottom left of the screen as shown in the screen shot below:

Alternatively, you can download a XAP file from XDA-Developers. Here is a link to the YouTube XAP.

What is a XAP file?

XAP is a file format used for both Windows Phone applications and Silverlight applications. XAP files are ZIP file formatted packages. The MIME type associated with XAP files is application/x-silverlight-app. The XAP file generally contains a AppManifest.xaml file which defines the assemblies that get deployed in the client application as well as the DLLs required by the app. Below is an example:

XAP files downloaded from the app store come PlayReady DRM encrypted. Encrypted XAP files will not run in the emulator. This is one of the reasons I prefer to have a physical device.

To determine if the XAP file is encrypted or not, you can open it with notepad. If the first line of text is PK then the file is not encrypted. If the first line of text is PRE, then it is encrypted. Here is an example, the one on the left is not encrypted.

Side Loading

To side load the app, you can use Application Deployment shortcut that came installed with the Windows Phone SDK or a tool called Windows Phone Power Tools. We will use Windows Phone Power Tools to look at the local storage of the app in the following post. Install the tool from the website onto your Windows 8 system with the Windows Phone SDK.

Plug in your device, unlock it, and run the Windows Phone Power Tools application. You will be able to launch an emulator from the drop down or connect to the device.

Make sure your physical device is connected to the Windows 8 system via USB, unlock it, and click Connect. From the main screen, you can click browse and select the XAP file to side load:

Click Install and wait for the app to install.

Conclusion

You now have an understanding of how WP8 applications are packaged and distributed. To look at the local storage of the app you will need the developer provided XAP file and side load the app onto your device or emulator. Now that you have the app installed on the device or emulator we will begin testing!